Re: [squid-users] Re: transparent proxy on remote box issue

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 26 Oct 2013 15:55:33 +1300

On 26/10/2013 8:46 a.m., WorkingMan wrote:
> What I tried:
>
> 1)with clean.rules I can connect to VPN and access internet without any
> issue
> 1b)On SQUID or VPN server curl -x http://localhost:3130 www.nba.com works
> 2) with proxy.rules VPN client get invalid URL (previously mentioned error).
> proxy is not intercept or transparent
>
> http_port 3130
> http_access allow all
>
> #used the first method
> #http://www.tldp.org/HOWTO/TransparentProxy-6.html

There is part of your problem. The first method does not work. It has
never worked except as a side effect of a security vulnerability bug,
which has now been fixed.

> export vpnclients=<VPN client IP; ex: 10.10.0.0/24>
> export SQUID=<SQUID IP>
> export SQUID_PORT=<SQUID PORT>
>
>
> iptables -t nat -A PREROUTING -i eth0 ! -s ${SQUID} -p tcp --dport 80 -j
> DNAT --to ${SQUID}:${SQUID_PORT}
> iptables -t nat -A POSTROUTING -o eth0 -s ${vpnclients} -d ${SQUID} -j SNAT
> --to ${SQUID}
> iptables -A FORWARD -s ${vpnclients} -d ${SQUID} -i eth0 -o eth0 -p tcp --
> dport ${SQUID_PORT} -j ACCEPT
>
> It did mention that HTTP/1.0 will not work properly for some reason. It's
> not possible to test the second method since EC2 classic doesn't allow me to
> add a second network interface (I will probably have to try VPC later on)

Interfaces are relevant to this setup. Whats the problem?

> I tried to understand the issue from the code but it wasn't 100% clear.
>
> client_side.cc(2319) parseHttpRequest: HTTP Client local=<SQUID IP>:3130
> remote=<VPN server>:65090 FD 10 flags=1
> client_side.cc(2320) parseHttpRequest: HTTP Client REQUEST:
> ---------
> GET / HTTP/1.1
> Host: www.nba.com
> Accept-Encoding: gzip, deflate
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M
> Cookie: s_fid=32FDC9FA0E2D94CE-297956A1143A207A; s_vi=
> [CS]v1|28AFB9BC0501287A-600001094003481F[CE]^M
> Connection: keep-alive
> Accept-Language: en-us
> User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_2 like Mac OS X)
> AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A501
> Safari/9537.53
>
> This looks good to me and works (test and works as a request) but then I see
> this error message and then it went to show SQUID's error page. It doesn't
> really tell me why it's not working.

That line above the headers is showing the problem:

    HTTP Client local=<SQUID IP>:3130 remote=<VPN server>:65090 FD 10
flags=1

local= contains the details of www.nba.com server where the request is
being fetched .... original dst IP:port from the TCP packets.
remote= contains the client src IP:port from the TCP packets.

Your NAT is still being done at the client end of the connection before
it reaches the Squid box. This is THE problem. Move the NAT rules.

1) the client end of the VPN needs to contain the routing and MARK rules
from section 6.2 of that page.

2) the VPN tunnel needs to deliver those packets directly onto the Squid
box. Avoiding any problems ECN may cause with routing the packets.

    2a) at this point you should still be able to browse the web without
problems. However your packets should be going over the VPN without any
browser or test tool mention of the Squid box IP.

3) the Squid box needs to contains the REDIRECT rule from section 6.2 on
that page, and probably the MASQUERADE rule from section 6.3. Squid
needs the "intercept" http_port option.

  3a) at this point you should still be able to browse the web without
problems using *identical* tests to those made in (2a) when there was no
proxy used. However the traffic should be logged in Squid access.log.

<skipping the rest of your Qs because the necessary info is already
logged in those lines above>

Amos
Received on Sat Oct 26 2013 - 02:55:52 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 28 2013 - 12:00:12 MDT